b"               OFFICE OF\n               INSPECTOR\n               GENERAL\n               UNITED STATES POSTAL SERVICE\n\n\n\n\n          Information Storage Security\n\n                        Audit Report\n\n\n\n\n                                              March 27, 2014\n\nReport Number IT-AR-14-004\n\x0c                                                                      March 27, 2014\n\n                                                      Information Storage Security\n\n                                                        Report Number IT-AR-14-004\n\n\n\n\nBACKGROUND:                                oversight of the storage teams. They did\nThe U.S. Postal Service Information        not, for example, conduct periodic\nTechnology, Computer Operations, Data      employee access reviews. The absence\nManagement Services group manages          of proper security practices and training\na     petabyte storage environment         increases the likelihood of an adverse\n(equating a byte to 1 second, a petabyte   impact on Postal Service operations,\nis 35.7 million years). This environment   such as an outage of a customer-\nsupports 230 systems and applications      dependent system.\ncontaining various categories of data,\nsuch as personal employee information,     In addition, the Corporate Information\nwhich have different protection            Security Office did not provide guidance\nrequirements that reflect their level of   for storage environments as it has for\nsensitivity. The Postal Service spends     operating systems, databases, and\nabout $30 million annually on storage      telecommunication security.\ncomponents.                                Establishing minimum security\n                                           expectations for storage environments\nThe Data Management Services group         can reduce the likelihood of critical\nincludes two storage teams \xe2\x80\x93 Storage       system and application outages\nDeployment and Architecture \xe2\x80\x93 which        throughout Postal Service operations.\nmanage storage-based hardware in the\nnon-mainframe environment.                 WHAT THE OIG RECOMMENDED:\n                                           We recommended management\n                                           establish operating procedures and\n                                           security requirements and improve\n                                           oversight of storage environments. We\nA system outage in 2010 revealed that      recommended management also ensure\nPostal Service storage environments        personnel are trained to maintain\nwere never subject to security reviews     storage skills. In addition, we\nor audits. Our objective was to assess     recommended management develop a\nthe security of information storage        schedule to bring the storage\nenvironments managed by this group.        environment into compliance with\n                                           established requirements. Finally, we\nWHAT THE OIG FOUND:                        recommended the Corporate\nThe Data Management Services group         Information Security Office establish\ndid not manage the storage environment     security requirements for storage\nin accordance with Postal Service          environments.\nsecurity requirements because its\nmanagers did not provide adequate          Link to review the entire report\n\x0cMarch 27, 2014\n\nMEMORANDUM FOR:            JAMES P. COCHRANE\n                           CHIEF INFORMATION OFFICER AND EXECUTIVE VICE\n                           PRESIDENT\n\n                           JOHN T. EDGAR\n                           VICE PRESIDENT, INFORMATION TECHNOLOGY\n\n                                 E-Signed by Sean Balduff\n                            ERIFY authenticity with eSign Deskto\n\n\n\n\n                           for\nFROM:                      John E. Cihota\n                           Deputy Assistant Inspector General\n                            for Financial and Systems Accountability\n\nSUBJECT:                   Audit Report \xe2\x80\x93 Information Storage Security\n                           (Report Number IT-AR-14-004)\n\nThis report presents the results of our audit of Information Storage Security (Project\nNumber 13BG010IT000).\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Sean Balduff, acting director,\nInformation Technology, or me at 703-248-2100.\n\nAttachment\n\ncc: Corporate Audit and Response Management\n\x0cInformation Storage Security                                                                                        IT-AR-14-004\n\n\n\n\n                                               TABLE OF CONTENTS\n\n\nIntroduction ..................................................................................................................... 1\n\nConclusion ...................................................................................................................... 2\n\nData Management Services\xe2\x80\x99 Oversight of Storage Teams.............................................. 2\n\nGuidance for Storage Environments ............................................................................... 4\n\nRecommendations .......................................................................................................... 5\n\nManagement\xe2\x80\x99s Comments .............................................................................................. 5\n\nEvaluation of Management\xe2\x80\x99s Comments ......................................................................... 6\n\nAppendix A: Additional Information ................................................................................. 7\n\n   Background ................................................................................................................. 7\n\n   Objective, Scope, and Methodology ............................................................................ 7\n\n   Prior Audit Coverage ................................................................................................... 8\n\nAppendix B: Data Management Services\xe2\x80\x99 Management Oversight ................................. 9\n\nAppendix C: Management's Comments ........................................................................ 14\n\x0cInformation Storage Security                                                                            IT-AR-14-004\n\n\n\n\nIntroduction\n\nThis report presents the results of our self-initiated audit of Information Storage Security\n(Project Number 13BG010IT000). Our objective was to assess the security of\ninformation storage environments managed by the U.S. Postal Service Information\nTechnology (IT), Computer Operations, Data Management Services (DMS) group. See\nAppendix A for additional information about this audit.\n\nIn January 2013, the Postal Service\xe2\x80\x99s DMS group managed over        petabytes1 (PB)\nof enterprise-level storage at the IT Centers (ITC) in\nOver the past 5 years, Computer Operations has reduced its physical storage footprint\nby 50 percent and doubled the amount of storage space. By the end of calendar year\n2013, the amount of storage space managed had increased to          .\n\nThe storage group was composed of about\n               on three teams: DMS Architecture, DMS Storage Deployment, and DMS\nMainframe Storage. This audit focused on the DMS Architecture and DMS Storage\nDeployment teams, which manage storage in the non-mainframe environment. 2 The\nDMS Architecture team is responsible for managing the configuration of most of the\nstorage hardware, managing the storage switches, and designing and maintaining the\narchitectural records for the environment. The DMS Storage Deployment team fulfills\nrequests for storage by application owners and manages the remaining storage\nhardware. Team members reside at the\n\n\n\nRoughly                of the two storage teams are contractors \xe2\x80\x93 with the majority of\npersonnel provided by the storage hardware vendor,                         . According to the\nstorage contract,          is responsible for determining the training necessary to fulfill the\ncontract requirements; and for tracking the training, skills, education, and experience of\nthe personnel provided. Postal Service management is responsible for ensuring all\npersonnel under its supervision, including contractors, receive information security\ntraining. In addition, management is responsible for maintaining training records and\nsupervising information security responsibilities of its onsite personnel.\n\n\n\n\n1\n  A PB is a measure of memory or storage capacity and is equal to 1 million gigabytes. Equating a byte to 1 second,\na PB would equal 35.7 million years.\n2\n  We did not review storage in the mainframe environment in detail since tests of controls in this area were performed\nin concurrent fiscal year (FY) 2013 audit projects.\n3\n                      members are contractors, including     from        and\n\n\n                                                          1\n\x0cInformation Storage Security                                                                            IT-AR-14-004\n\n\n\nOur audit of a system outage in 2010 revealed that Postal Service storage\nenvironments were not subject to external security reviews or audits. 4 Specifically, the\nPostal Service experienced a 4-day outage of                                         in\nFebruary 2010 due to an incorrect command executed in the storage environment. As a\nresult, the Postal Service incurred additional employee overtime and contractor costs for\ninputting a backlog of postage statements and restoring             services. The extra\ncosts incurred by customers to complete the interim manual process negatively\nimpacted the Postal Service brand and goodwill. In addition, the Postal Service\nrecognized revenue late, which could have had an adverse affect on financial reporting\nhad the outage occurred at the end of a quarter or fiscal year.\n\nConclusion\n\nThe DMS group did not manage the storage environment in accordance with\nestablished policies. This occurred because DMS managers did not provide adequate\noversight of the storage environment teams, such as\n                           or conducting periodic employee access reviews. In addition,\nthe Corporate Information Security Office (CISO) did not provide adequate guidance for\nsecuring storage-based information resources. 6       has noted that organizations often\noverlook security controls in storage environments.The absence of proper security\npractices increases the likelihood of an adverse impact on Postal Service operations,\nsuch as an outage of a customer-dependent system.\n\nData Management Services\xe2\x80\x99 Oversight of Storage Teams\n\nDMS personnel did not manage the storage environment in accordance with the\nsecurity requirements outlined in Postal Service Handbook AS-805. 7 DMS managers\ndid not adequately oversee the storage teams and failed to develop security operating\nprocedures and monitor operational security training. The absence of proper security\npractices and training increases the likelihood of an adverse impact on Postal Service\noperations, such as an outage of a customer-dependent system like the one used to\nmanage customers\xe2\x80\x99 changes of address.\n\n\n\n\n  Information resources are all Postal Service information assets, including information systems, hardware, software,\ndata, applications, telecommunications networks, and related resources and the information they contain.\n7\n  Postal Service Handbook AS-805, Information Security, May 2013, Sections 2-2.10, 8-5.4.3, and 8-5.4.4.\n\n                                                          2\n\x0cInformation Storage Security                                                                         IT-AR-14-004\n\n\n\n\nThe absence of adequate DMS management oversight was evident in the following\nways:\n\n\xef\x82\xa7   Implementation of Handbook AS-805 \xe2\x80\x94 We noted 20 examples in                security\n    areas where DMS personnel were not informed how to administer storage\n    resources in accordance with Handbook AS-805. For example, administrators were\n    not informed how to ensure that a user formally requests account access and\n    receives a manager\xe2\x80\x99s review or approval before an administrator creates an account\n    on a storage device. In addition, there was no evidence that DMS managers\n    periodically reviewed access granted to their team members as required by\n    Handbook AS-805. We identified 31 user accounts that either remained on four\n    types of devices as duplicates or were not removed after the owners no longer had\n    storage responsibilities. We also identified eight default accounts with default\n    passwords remaining on four types of storage devices. The majority of the storage\n    team members were contractors, and managers are required to supervise the\n    information security responsibilities of onsite contractors under their supervision.\n\n\xef\x82\xa7   Monitoring of Training \xe2\x80\x94 We noted two examples in separate security areas where\n    storage administrators were not familiar with a new management tool or a change in\n    vendor guidance. In one example, DMS implemented the\n                                 in its storage environments. 9       strongly recommends\n    that customers enable the                        feature to provide access authorization\n    and activity-logging capabilities (required under Postal Service policy) when the\n              is installed. The DMS storage administrators elected not to enable the\n    feature due to concerns that the storage environment lacks 24-hour support. They\n    were not aware the feature could be configured to provide the same level of remote\n    access previously provided to           without requiring 24-hour support by the Postal\n    Service. Postal Service IT policies dictate that business and line managers and\n    supervisors are responsible for ensuring all personnel under their supervision\n    receive information security training. In addition, these managers are responsible for\n    maintaining training records and supervising information security responsibilities of\n    their onsite contractor personnel.\n\nSee Appendix B, Table 1 for a complete list of the security areas and examples of\nnoncompliance noted during the audit.\n\nStorage environments are subject to numerous risks, including data loss or exposure,\nsystem outages, and data corruption. In the event of a storage-related outage, the\nPostal Service would likely experience additional overtime and contractor costs related\nto restoring the system, plus potential manual processing efforts. In addition, if an\noutage were to occur at the end of a quarter or fiscal year, financial reporting could be\nadversely impacted by late recognition of revenue. This project did not disclose any\n\n\n The           provides     with secure access to remotely monitor and respond to potential problems with its\ncustomers\xe2\x80\x99 storage devices.\n\n                                                        3\n\x0cInformation Storage Security                                                                           IT-AR-14-004\n\n\n\nspecific risk with particular applications or systems. The potential costs or lost revenue\nwould vary widely depending on the system impacted, the length of an outage, and\nrecoverability of lost or corrupted data. Further, any of these conditions during a peak\nvolume period would likely attract negative press, impact customer satisfaction, and\nharm the Postal Service\xe2\x80\x99s goodwill and brand.\n\nGuidance for Storage Environments\n\nCISO did not provide adequate guidance for securing storage-based information\nresources. Current Postal Service policy requires that hardware and system software be\nconfigured to information security requirements specific to the Postal Service. 10 Policy\nalso establishes that CISO is responsible for developing detailed guidance in the form of\nhandbooks, standards, practices, and hardening 11 policies.       notes that, while\ncompanies often overlook storage security controls, leading enterprises are expanding\nsecurity strategies to include more direct protection.\n\nWe identified areas where additional guidance for storage environments would improve\nsecurity operations. For example:\n\n\xef\x82\xa7    DMS-managed storage devices are not synchronized to a trusted, internal Postal\n     Service time source. Some devices are synchronized to the vendor\xe2\x80\x99s time source.\n     A common, accurate time source across the Postal Service environment would\n     ensure that event records from different sources or devices can be correlated when\n     necessary.\n\n\xef\x82\xa7    Storage devices designated by DMS as supporting non-production environments\n     were found to be supporting environments considered production environments by\n     their owners. We found the definition of a \xe2\x80\x9cproduction\xe2\x80\x9d or a \xe2\x80\x9cnon-production\xe2\x80\x9d\n     environment changed based on the function of the speaker \xe2\x80\x93 that is, the storage\n     team, operating system administrator, or application owner. For example, the\n     business team for one application considered the servers used for training to be part\n     of a production environment, and expected related devices to be treated as\n     production from a support and maintenance perspective. However, the DMS storage\n     team was managing the associated storage device as a \xe2\x80\x9cnon-production\xe2\x80\x9d device.\n     The primary impact of a \xe2\x80\x9cproduction\xe2\x80\x9d versus \xe2\x80\x9cnon-production\xe2\x80\x9d designation is whether\n     the stored data is copied and incorporated into disaster recovery procedures.\n\n      promotes security best practices that move beyond a perimeter defense and build\nsecurity into the storage infrastructure. By establishing the minimum security\nexpectations for storage environments, CISO can reduce the likelihood of critical system\noutages or corrupted data throughout Postal Service operations. See Appendix B, Table\n2 for examples of areas where additional guidance of storage environments would\nimprove security operations.\n10\n   Handbook AS-805, Sections 2-2.5 and 8-2.4.2, establish CISO\xe2\x80\x99s responsibility for developing information security\nguidance and the requirement for hardware and software hardening.\n11\n   Hardening is the process of implementing software, hardware, or physical security controls to mitigate risks\nassociated with the Postal Service infrastructure and critical and sensitive information resources.\n\n                                                         4\n\x0cInformation Storage Security                                                  IT-AR-14-004\n\n\n\n\nRecommendations\n\nWe recommend the vice president, Information Technology, direct the manager,\nComputer Operations, to:\n\n  1. Ensure Data Management Services management provides security operating\n     procedures, periodic reviews, and oversight for the storage teams as required by\n     Handbook AS-805, Information Security.\n\n  2. Ensure the vendor for the storage contract provides periodic training to personnel\n     to maintain storage group knowledge and skills with vendor products and\n     management tools.\n\n  3. Evaluate the storage environment managed by Data Management Services\n     against Handbook AS-805, Information Security, security requirements and\n     develop a schedule to bring the environment into compliance.\n\nWe recommend the chief information officer and executive vice president direct the\nmanager, Corporate Information Security, to:\n\n  4. Establish minimum security requirements for storage devices in Postal Service\n     environments based on industry best practices.\n\n  5. Specifically address storage devices and storage environment security\n     requirements within Handbook AS-805, Information Security, to reflect the\n     significance of these infrastructure components. This should include guidance on\n     consistent use of production and non-production designations among storage\n     teams and application owners.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with all the findings and recommendations in the report. In\nresponse to recommendation 1, management is planning to register resources and\nroles in the eAccess system to facilitate regular access reviews. The planned\nimplementation date is September 30, 2014.\n\nIn response to recommendation 2, management will work with the contracting officer to\nreceive quarterly training reports beginning April 1, 2014.\n\nIn response to recommendation 3, management will develop a gap analysis by\nMay 1, 2014, and provide a plan for corrective actions to the U.S. Postal Service Office\nof Inspector General (OIG) by June 1, 2014.\n\nIn response to recommendation 4, management from Computer Operations and CISO\nwill coordinate to establish minimum security requirements for storage in Postal Service\nenvironments by September 30, 2014.\n\n                                            5\n\x0cInformation Storage Security                                                   IT-AR-14-004\n\n\n\n\nIn response to recommendation 5, management will update Handbook AS-805,\nInformation Security, to address storage devices and storage environment security\nrequirements by September 30, 2014.\n\nSee Appendix C for management\xe2\x80\x99s comments, in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to recommendations 2\nthrough 5 and the corrective actions should resolve the issues identified in the report.\nRegarding recommendation 1, management\xe2\x80\x99s comments address the recommended\nperiodic reviews, but do not specifically discuss actions to implement security operating\nprocedures or oversight for the storage teams. Since security operating procedures and\noversight are required by Handbook AS-805, the OIG will monitor implementation and\ncompliance for these items through the gap analysis and plan for corrective actions\noutlined in management\xe2\x80\x99s response to recommendation 3.\n\nThe OIG considers recommendations 1 through 4 significant, and therefore requires\nOIG concurrence before closure. Consequently, the OIG requests written confirmation\nwhen corrective actions are completed. These recommendations should not be closed\nin the Postal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written\nconfirmation that the recommendations can be closed.\n\n\n\n\n                                            6\n\x0cInformation Storage Security                                                                              IT-AR-14-004\n\n\n\n\n                                  Appendix A: Additional Information\n\nBackground\n\nAt the end of December 2013, DMS managed about      PB of enterprise-level storage 12\nat the ITCs in                   . The Postal Service spends about $30 million\nannually on storage components.\n\nThe DMS-managed storage devices support 230 production IT systems and\napplications running on over 1,100 servers 13 at the                          ITCs. For\nexample, these devices store data for the systems used to process biweekly payroll for\nPostal Service employees and to manage changes of address for Postal Service\ncustomers. The devices also support non-production systems and environments. Each\nof the storage devices has a combination of numerous categories of stored data 14\nincluding sensitive data, personally identifiable information, and debit and credit card\nrecords. Different categories of data have different protection requirements, including\nwhere the data can be accessed, use of encryption, storage location, and retention\nperiods.\n\nObjective, Scope, and Methodology\n\nOur objective was to assess the security of information storage environments managed\nby DMS. To accomplish our objective, we interviewed officials at Postal Service facilities\nin                                                We also reviewed applicable Postal\nService policies and procedures, guidelines, and reports.\n\nOur review focused on the production storage environment managed by DMS at the\n        ITC during FY 2013. The scope of our audit included hardware devices such as\ndisk arrays, 15 servers used for managing the storage environment, and switches\ncontrolling the storage network.\n\nIn the absence of Postal Service guidance for hardening storage environments, we\nselected several security hardening topics and reviewed DMS-managed storage\ndevices for compliance. The topics appear in Figure 1.\n\n\n\n\n12\n   Enterprise storage is a broad category that includes products and services used to assist large organizations with\nlarge volumes of data and large numbers of users. It usually involves centralized storage repositories.\n13\n   These include host servers, which, in turn, may support multiple virtual servers.\n14\n   The Postal Service is mandated to protect information of its customers, employees, and suppliers, and in order to\ndo so, it categorizes systems and data by sensitive, sensitive-enhanced, personally identifiable information, non-\nsensitive, debit and credit card records, Privacy Act records, and financial reporting data required to comply with the\nSarbanes-Oxley Act of 2002.\n15\n   A disk array is a hardware element that contains a large group of hard disk drives.\n\n                                                           7\n\x0cInformation Storage Security                                                        IT-AR-14-004\n\n\n\n                        Figure 1. Hardening Topics Selected for Review\n\n\xef\x82\xa7   Change Management             \xef\x82\xa7   Modems                      \xef\x82\xa7   Services and Ports\n    Practices                     \xef\x82\xa7   Password Polices            \xef\x82\xa7   Session Timeout\n\xef\x82\xa7   Disposal                      \xef\x82\xa7   Patching Practices          \xef\x82\xa7   Storage Scripts\n\xef\x82\xa7   Encryption Services           \xef\x82\xa7   Role-Based Access Control   \xef\x82\xa7   Training and Management\n\xef\x82\xa7   Logging and Log Monitoring    \xef\x82\xa7   Secure Application              Support\n\xef\x82\xa7   Management Interfaces             Programming Interface       \xef\x82\xa7   User Account Management\nSource: OIG analysis.\n\nWe conducted interviews, assessed security configurations from randomly sampled\nproduction storage devices and software, reviewed controls over access to stored data,\nanalyzed the storage architecture, and performed other necessary measures to address\nthe audit objectives. The team also contacted Postal Service contracting officers\nregarding several components of the         storage contract. We researched and\nidentified nine best practices or norms from sources like the Storage Networking\nIndustry Association (SNIA\xe2\x84\xa2) and the National Security Agency, Systems and Network\nAnalysis Center. We coordinated with the Council of the Inspectors General on Integrity\nand Efficiency and did not identify any audit work performed on the security of storage\nenvironments of other agencies.\n\nWe conducted this performance audit from July 2013 through March 2014 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives. We discussed our\nobservations and conclusions with management on March 5, 2014, and included its\ncomments where appropriate.\n\nWe did not assess the reliability of any computer-processed data for the purposes of\nthis report. The computer-processed data analyzed during the audit provided the\ncontext for the environment audited and did not significantly affect the findings,\nconclusions, or recommendations in this report.\n\nPrior Audit Coverage\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n                                                 8\n\x0cInformation Storage Security                                                                       IT-AR-14-004\n\n\n\n\n           Appendix B: Data Management Services\xe2\x80\x99 Management Oversight\n\nThe audit focused on production hardware in the DMS-managed storage environment at\nthe        ITC. Table 1 lists descriptions of types of noncompliance with Handbook\nAS-805 across multiple security areas caused by inadequate management oversight. A\ncheck (\xe2\x88\x9a) under the device type indicates an issue exists with at least one sample of\nthat type.\n\nDuring the audit, members of the DMS storage teams and others initiated corrective\naction to address some of the issues we found. These include removing unnecessary\nand outdated accounts from storage devices, updating the session timeouts on two\ntypes of devices, implementing the                  to replace modem access, and\nconducting a physical inventory of storage devices in the       ITC.\n\n               Table 1: Impact of Inadequate DMS Management Oversight\n\n\n                     Section A: Implementation of Handbook AS-805\n                                                                                       16\n                                                                         Device type\n\n                Description\n\n\n1 Account management\n1.1                                                    \xe2\x88\x9a           \xe2\x88\x9a           \xe2\x88\x9a            \xe2\x88\x9a         \xe2\x88\x9a\n\n\n\n1.2                                                                \xe2\x88\x9a                                  \xe2\x88\x9a\n\n1.3                                                    \xe2\x88\x9a                       \xe2\x88\x9a            \xe2\x88\x9a         \xe2\x88\x9a\n\n\n\n1.4   User accounts are not periodically               \xe2\x88\x9a           \xe2\x88\x9a           \xe2\x88\x9a            \xe2\x88\x9a         \xe2\x88\x9a\n      reviewed.\n1.5   Use of privileged accounts is not                \xe2\x88\x9a           \xe2\x88\x9a           \xe2\x88\x9a            \xe2\x88\x9a\n      restricted.\n1.6   Shared account is not registered.                \xe2\x88\x9a           \xe2\x88\x9a           \xe2\x88\x9a                      \xe2\x88\x9a\n2 Password policies\n2.1                                                    \xe2\x88\x9a           \xe2\x88\x9a           \xe2\x88\x9a                      \xe2\x88\x9a\n\n\n16\n       is the contract vendor providing most of the hardware storage devices used by DMS. These include\n\n\n\n                                                       9\n\x0cInformation Storage Security                                                                             IT-AR-14-004\n\n\n\n\n                       Section A: Implementation of Handbook AS-805\n                                                                                           16\n                                                                             Device type\n\n                  Description\n\n\n2.2   Administrator-level accounts had no                 \xe2\x88\x9a                         \xe2\x88\x9a\n      password expiration.\n2.3   No documented approval for non-                     \xe2\x88\x9a                         \xe2\x88\x9a\n      expiring passwords.\n2.4                                                       \xe2\x88\x9a            \xe2\x88\x9a\n\n2.5  No confirmation that vendor defaults       \xe2\x88\x9a\n     comply with Handbook AS-805.\n3 Role-based access control\n3.1 No separation of security and               \xe2\x88\x9a         \xe2\x88\x9a         \xe2\x88\x9a        \xe2\x88\x9a         \xe2\x88\x9a\n     administrative duties. 17\n4 Idle session timeout\n4.1 No idle timeout set.                                                     \xe2\x88\x9a\n4.2 No confirmation that vendor defaults        \xe2\x88\x9a                   \xe2\x88\x9a\n     comply with Handbook AS-805.\n5 Patching practices\n5.1 The current process for evaluating         device and                       (which\n     incorporates reliance on the vendor for certain aspects, such as testing and\n     implementation) is not documented. The current process for evaluating            patches\n     is not documented.\n6 Use of modems and\n6.1 CISO has no record of a DMS request for authorization to use modems. Sixteen of 29\n     identified modems remain in operation following implementation of the                  .\n     Thirteen of the 16 modems are connected to devices already converted to the             .\n6.2 CISO and the Network Connectivity Review Board 18 have no record of a DMS request\n     for the                   used in the non-Payment Card Industry environment.\n7 Storage scripts\n7.1   An external review of a sample storage script did not identify any specific concerns.\n      However, based on the extensive use of scripts by the storage teams, security could be\n      enhanced with additional oversight for the use of:\n       \xef\x82\xa7 Comments sections that include the purpose, date of creation, author, and platform\n          notes (and change record reference).\n\n17\n   Most storage devices give administrators the ability to create custom roles as necessary (the exception is\nThe audit disclosed that vendor default roles were used to grant administrator level authority to accounts regardless\nof work responsibilities (that is, account owners or users who are assigned to different DMS teams).\n18\n   Postal Service Handbook AS-805-D, Information Security Network Connectivity Process, Section 2-6,\nSeptember 2009, establishes the Board\xe2\x80\x99s responsibility for evaluating and approving or rejecting requests for Postal\nService connections to external systems, and for reviewing new information resource, infrastructure, and network\nconnections and their effects on overall Postal Service operations and information security.\n\n                                                          10\n\x0cInformation Storage Security                                                          IT-AR-14-004\n\n\n\n\n                       Section A: Implementation of Handbook AS-805\n                                                                             16\n                                                               Device type\n\n                  Description\n\n\n        \xef\x82\xa7   Techniques to avoid hard coding management workstations within scripts.\n8 Asset management\n8.1    DMS records of the devices in the storage environment were generally incomplete. The\n       teams relied on the vendor\xe2\x80\x99s account manager for records of the location and status of\n       storage devices. For example, one               device confirmed during the physical\n       inventory did not appear in the records provided by DMS. In another example, two\n       servers installed as management servers were not identified by DMS until the end of\n       the audit.\n8.2    Personnel were unfamiliar with the location, Internet address, or status of a vendor-\n       supplied server connected to the storage environment.\n\n                                 Section B: Monitoring of Training\n\n1\n1.1                                  was not enabled. If enabled,                 could\n    provide compliance with the Postal Service requirement to maintain activity logs and\n    provide authorization control while allowing      the necessary level of remote access.\n    This would not require 24-hour storage support by the Postal Service.\n2 Reliance on outdated commands\n2.1       replaced older commands on             devices with a new tool to manage user\n    accounts. Although the new tool is available to the DMS team, it continues to manage\n    accounts using the older commands.\nSource: OIG audit analysis results.\n\nTable 2 provides examples of security areas where additional guidance is needed for\nprotecting storage environments. The CISO needs to establish minimum security\nrequirements for individual storage device types to protect operations and data in the\nPostal Service environment.\n\n\n\n\n                                                 11\n\x0cInformation Storage Security                                                          IT-AR-14-004\n\n\n\n\n                 Table 2: Additional Postal Service Guidance is Needed\n\n\n                                        Security Area\n\n1 Storage environments discussed in Handbook AS-805\n1.1    Handbook AS-805 does not discuss security for storage environments in a manner that\n       reflects the current role it serves in maintaining computer operations. For example, the\n       Hardware Security section of the handbook discusses mainframes, network devices,\n       servers, workstations, and mobile computing devices; however, there is no section\n       dedicated to storage devices.\n2 Specific device guidance \xe2\x80\x93 for example, hardening standard or baseline\n2.1   Handbook AS-805 requires hardware and system software to be hardened to Postal\n      Service requirements. Hardening guidance exists for operating systems, databases,\n      network and telecommunications; however, the minimum Postal Service requirements\n      have not been established for storage devices or switches used within storage\n      environments.\n3 Interpreting vendor guidance\n3.1         guidance for error message logging differs from the Postal Service hardening\n      standard for non-storage switches. All error messages are rated from greatest severity\n      zero (emergencies such that the system is unusable) to least severity seven (debugging\n      messages). The vendor uses severity five (notifications of normal, but significant\n      conditions) as the minimum level to be logged, while the Postal Service standard is for\n      logging messages no lower than severity six (informational messages).\n3.2            security guidance offers three options for authentication credentials and\n      encourages organizations to determine the best option for their environment. The Postal\n      Service has not determined the best option for the DMS storage environment.\n3.3               security guidance on accepting connections from remote clients provides\n      parameters to be configured to the organization\xe2\x80\x99s acceptable tolerance levels. The\n      Postal Service has not determined the appropriate tolerance levels for the DMS storage\n      environment.\n4 Logging practices\n4.1    The SNIA maintains storage security best practices that include a list of the kinds of\n       events that should be logged. The Postal Service has not established the kinds of\n       events to be logged by devices in the DMS storage environment. Therefore, the types of\n       activity and severity levels logged by DMS-managed switches are inconsistent.\n4.2    Several types of DMS-managed storage devices retain logs only on the device. SNIA\n       recommends use of centralized audit logging from all sources for automated analysis,\n       alerting, and archiving to support compliance, accountability, and security.\n5 Synchronized clocks\n5.1    DMS-managed storage devices are synchronized to either the vendor\xe2\x80\x99s time source or\n       to multiple Postal Service time sources. SNIA best practices include use of a common,\n       accurate time source across the environment. While existing hardening standards for\n       other Postal Service resources discuss the use of network time protocol, there is no\n       guidance provided for storage environments.\n\n                                               12\n\x0c Information Storage Security                                                          IT-AR-14-004\n\n\n\n\n                                          Security Area\n\n 6 Account management\n 6.1             devices do not provide the ability to monitor password aging for local accounts.\n         Guidance should be provided on whether these accounts should be submitted for\n         approval as non-expiring password accounts.\n 7 Script automation\n 7.1     Based on the extensive use of scripts and automation, security could be enhanced with\n         additional guidance on the use of:\n            \xef\x82\xa7 An inventory, approval, and management structure for all script automation.\n            \xef\x82\xa7 Documented change control procedures for all script automation.\n 8 Production versus non-production\n 8.1     Storage devices internally designated as non-production were found to be supporting\n         environments considered production by their owners. The definition of what is\n         \xe2\x80\x9cproduction\xe2\x80\x9d and \xe2\x80\x9cnon-production\xe2\x80\x9d changes based on the speaker \xe2\x80\x93 that is, storage\n         team, operating system administrator, or application owner.\nSource: OIG audit analysis results.\n\n\n\n\n                                                 13\n\x0cInformation Storage Security                                   IT-AR-14-004\n\n\n\n                           Appendix C: Management's Comments\n\n\n\n\n                                          14\n\x0cInformation Storage Security        IT-AR-14-004\n\n\n\n\n                               15\n\x0cInformation Storage Security        IT-AR-14-004\n\n\n\n\n                               16\n\x0c"